The single most important rule
The four mandatory permission settings (universal across venues)
Every exchange’s API key creation form has a permissions section. The universal rule, valid across all 17 supported venues:✅ Read — always enable
✅ Read — always enable
✅ Spot trading — always enable
✅ Spot trading — always enable
❌ Withdrawals — NEVER enable
❌ Withdrawals — NEVER enable
❌ Margin / Futures / Derivatives — disable unless required
❌ Margin / Futures / Derivatives — disable unless required
❌ Internal transfers / Universal transfer — disable
❌ Internal transfers / Universal transfer — disable
IP allowlisting — a strong second factor
What IP allowlisting is
What IP allowlisting is
-2015 (Binance) or equivalent.With IP allowlisting active, an attacker who has stolen your API key still needs to be on an allowlisted IP to use it. They typically aren’t.How to find your VPS's static IP
How to find your VPS's static IP
Allowlist propagation delay
Allowlist propagation delay
30–60 seconds before testing. Most venues’ API gateways propagate the change asynchronously, and a test immediately after save may fail until propagation completes.If your test fails after a save, wait a minute and try again before assuming something else is wrong.What to do if your VPS IP changes
What to do if your VPS IP changes
When you can't IP allowlist
When you can't IP allowlist
- The API key is more sensitive — protect it more carefully.
- Rotate more frequently (monthly instead of quarterly).
- Watch the venue’s API-key audit log more closely for anomalies.
The pre-flight checklist for every API key
Before you paste a new API key into the unCoded Dashboard, run through this checklist. If any item fails, fix it before proceeding.Verify withdrawal is disabled
Verify spot trading is enabled
Verify margin / futures / derivatives is disabled
Verify IP allowlist is set
Verify the key has a descriptive label
unCoded-prod-binance-main so you can identify it later. Multi-key operators benefit hugely from clear labels — unCoded-test-bybit-2026q1 is clearer than My API Key 3.Confirm the secret is saved in your password manager
Rotation cadence
Quarterly rotation (recommended baseline)
Quarterly rotation (recommended baseline)
- At the venue, create a new API key with the same permissions and IP allowlist as the current one.
- Save the new key/secret in your password manager.
- Update the unCoded Dashboard with the new credentials.
- Test the connection — it should succeed.
- At the venue, revoke the old API key.
- Verify the bot is still trading normally.
Immediate rotation triggers
Immediate rotation triggers
- Your VPS was compromised, restored from backup, or migrated.
- You logged into the venue from an unfamiliar device.
- You see unfamiliar API key activity in the venue’s audit log.
- The venue notifies you of a security incident.
- You shared the API key (even briefly, even with someone trusted, even via “secure” chat) — once shared, it’s not secret anymore.
- A team member with access has left, been let go, or had their device compromised.
- You suspect anything weird, even if you can’t articulate why.
Annual rotation review
Annual rotation review
- Are there any keys you no longer use? Revoke.
- Are the permissions still correct? Tighten if anything has loosened.
- Are the IP allowlists current? Update if your VPS IPs have changed.
- Are the labels still descriptive? Re-label if you’ve forgotten what they’re for.
Key inventory
Key inventory
| Venue | Label | Created | Last rotated | Permissions | IP allowlist |
|---|---|---|---|---|---|
| Binance | unCoded-prod-binance-main | 2026-01-15 | 2026-04-15 | Spot, Read | 203.0.113.45 |
What an attacker can do with each level of compromise
Understanding the threat model helps calibrate your response to each scenario.Read-only key leak
Read-only key leak
Spot trading key leak (correct configuration, withdrawal disabled)
Spot trading key leak (correct configuration, withdrawal disabled)
Spot trading key leak with withdrawal enabled (DO NOT DO THIS)
Spot trading key leak with withdrawal enabled (DO NOT DO THIS)
Account credentials (email + password) leak
Account credentials (email + password) leak
Layered defense — multiple weak factors > one strong factor
The right mental model: stack multiple weaker layers rather than relying on one strong layer. Each layer adds cost to the attacker without adding meaningful cost to you.Layer 1: Permission scoping
Layer 2: IP allowlisting
Layer 3: 2FA on the venue account
Layer 4: Secret hygiene
Layer 5: Periodic rotation
Layer 6: Audit log review
Common mistakes operators make
❌ 'I'll enable withdrawals just in case'
❌ 'I'll enable withdrawals just in case'
❌ 'I'll skip IP allowlist, my VPS is secure'
❌ 'I'll skip IP allowlist, my VPS is secure'
❌ 'I'll save the API secret in a Git repo so I can deploy from CI'
❌ 'I'll save the API secret in a Git repo so I can deploy from CI'
❌ 'I'll use one API key across multiple bots'
❌ 'I'll use one API key across multiple bots'
❌ 'I'll skip 2FA on the venue account because the API key is secured'
❌ 'I'll skip 2FA on the venue account because the API key is secured'
❌ 'I'll create the key once and never touch it'
❌ 'I'll create the key once and never touch it'
❌ 'I'll leave the key on Unrestricted IP because I might log in from somewhere else'
❌ 'I'll leave the key on Unrestricted IP because I might log in from somewhere else'
When something goes wrong
If a key leaks (suspected or confirmed)
If a key leaks (suspected or confirmed)
- Revoke the leaked key immediately at the venue.
- Generate a new key with correct permissions.
- Update the Dashboard with new credentials.
- Restart the affected TradingBot container.
- Verify the bot resumes trading normally.
- Review the venue’s API audit log for the leak window — was the key used by the attacker? What did they do?
- Document the incident in your operator log: when, how, what was the impact.
- Review your security posture — was 2FA on? Was withdrawal disabled? Was IP allowlist active? Tighten any layer that wasn’t.
If a connection test fails after creating a key
If a connection test fails after creating a key
- IP allowlist propagation delay. Wait
30–60seconds and retry. - IP allowlist mismatch. Verify your VPS’s actual public IP matches what’s on the allowlist.
- Wrong permissions. Verify spot trading is enabled.
- Wrong secret pasted. Re-paste the secret, watching for trailing whitespace.
- Clock drift. Verify your VPS’s NTP sync; rejection codes related to timestamps usually indicate clock skew.
-2015, Bybit 10003) usually point at the cause.If the bot stops trading and the key looks fine
If the bot stops trading and the key looks fine
- Kill switch on?
- Exchange-side outage?
- Rate limit?
- Min-notional rejection?
- Insufficient balance?
- API key still active at the venue?